Hi,
I recently upgraded from ISA 2006 EE running on Windows Server 2003 EE to TMG 2010 (and SP2) running on Windows 2008 R2 SP1. I used the export method to move my ISA configuration to the new TMG server. After setting up TMG and importing I'm about 90% in good shape. One of the things I'm having an issue with is DNS resolution.
In both my previous ISA config, and the new TMG server, there is no external DNS defined on the TMG server, DNS on the TMG server points to my internal AD DNS servers. These internal AD DNS servers have DNS forwarders that point to my ISP's DNS servers. This all worked great with my ISA Server. Per the original ISA config I have a rule that allows DNS traffic from the internal network to the external network. This has always worked with no issues on the ISA server.
After moving to the new TMG server I'm having some problems with my internal DNS servers being able to get to the ISP's DNS servers to resolve external addresses. If I look at the traffic for one of my internal DNS servers I can see the traffic that uses the external DNS rule going thru correctly. But I also see lots of traffic from the same internal DNS server that looks like this:
Closed Connection TMGSERVER 1/8/2013 8:11:40 AM
Log type: Firewall service
Status: A connection was terminated because it was idle for more than the time-out period, or the time-out on an incompleted action expired.
Rule: Default rule
Source: Internal (172.XX.XXX.219:54271)
Destination: External (69.31.59.199:53)
Protocol: Unidentified IP Traffic (UDP:53)
What I don't understand is why is this traffic being blocked? Shouldn't this traffic be using the DNS Rule since it's using UPD and port 53 for DNS?
On my old ISA server I had a rule that allowed all outbound traffic for all internal clients but I had to get rid of this rule because it appeared to be causing problems for TMG because I think there was to much traffic for TMG to keep up with so it was dropping packets. After getting rid of the allow all outbound traffic for all internal client rules and replacing it with a web publishing rule things seemed to get better but DNS is still not quite working correctly all the time. What do I need to do here?
Thanks in advance,
Nick
